Here’s the LDAP config for all 3: Server 1 (Works: 0.9.13-incubating):
#LDAP properties ldap-hostname:ldapserver ldap-port:389 ldap-encryption-method:none ldap-dereference-aliases:never ldap-search-bind-dn:cn="Directory Manager" ldap-search-bind-password:password ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com ldap-username-attribute:uid ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com Server 2 (Works: 0.9.13-incubating): #LDAP properties ldap-hostname:ldapserver ldap-port:389 ldap-encryption-method:none ldap-dereference-aliases:never ldap-search-bind-dn:cn="Directory Manager" ldap-search-bind-password:password ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com ldap-username-attribute:uid ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com Server 3 (Does NOT work: 1.0.0): #LDAP properties ldap-hostname:ldapserver ldap-port:389 ldap-encryption-method:none ldap-dereference-aliases:never ldap-search-bind-dn:cn="Directory Manager" ldap-search-bind-password:password ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com ldap-username-attribute:uid ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com Thanks, Harry From: Mike Jumper <mjum...@apache.org> Sent: Wednesday, May 20, 2020 4:18 PM To: user@guacamole.apache.org Subject: Re: Issue configuring LDAP On Wed, May 20, 2020 at 1:06 PM Devine, Harry (FAA) <harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote: We have 3 servers all configured this way (I’ve redacted sensitive information); 2 work and 1 doesn’t: #LDAP properties ldap-hostname:ldapserver ldap-port:389 ldap-encryption-method:none ldap-dereference-aliases:never ldap-search-bind-dn:cn="Directory Manager" ldap-search-bind-password:password ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com ldap-username-attribute:uid ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com Can you pull the configuration from the 2 working servers (if the above isn't already this)? I am surprised that the above work, because: 1) The search bind DN doesn't look fully qualified (it may well be correct for your LDAP directory, but it does look odd) 2) The search bind DN contains quotes within the value of the "cn" attribute. I believe these would be interpreted as literal quotes to be included as part of the DN, automatically escaped by Guacamole when it uses the DN to authenticate. Unless the username of the bind user is indeed ""Directory Manager"", I would expect this to instead be "cn=Directory Manager", or "cn=Directory Manager,dc=example,dc=com", or similar. Thanks, - Mike